diff options
| author | Laura Abbott <labbott@fedoraproject.org> | 2017-06-05 08:51:55 -0700 |
|---|---|---|
| committer | Laura Abbott <labbott@fedoraproject.org> | 2017-06-05 08:53:23 -0700 |
| commit | abd2ac600395062e685e144cb8b1cd759bcc6cc1 (patch) | |
| tree | 7c040e96dff0070cf6eeeb7bbb10794d3cf61762 | |
| parent | c4db36809d105415396ee85788a416032c8ce1e9 (diff) | |
| download | kernel-abd2ac600395062e685e144cb8b1cd759bcc6cc1.tar.gz kernel-abd2ac600395062e685e144cb8b1cd759bcc6cc1.tar.xz kernel-abd2ac600395062e685e144cb8b1cd759bcc6cc1.zip | |
Actually fix ipsec encapsulation problems (rhbz 1458222 1458499)
| -rw-r--r-- | actual_udpencap_fix.patch | 45 | ||||
| -rw-r--r-- | kernel.spec | 7 |
2 files changed, 52 insertions, 0 deletions
diff --git a/actual_udpencap_fix.patch b/actual_udpencap_fix.patch new file mode 100644 index 000000000..bba8b7676 --- /dev/null +++ b/actual_udpencap_fix.patch @@ -0,0 +1,45 @@ +From: Steffen Klassert <steffen.klassert@secunet.com> +Subject: [PATCH] esp4: Fix udpencap for local TCP packets. + +Locally generated TCP packets are usually cloned, so we +do skb_cow_data() on this packets. After that we need to +reload the pointer to the esp header. On udpencap this +header has an offset to skb_transport_header, so take this +offset into account. + +Fixes: commit cac2661c53f ("esp4: Avoid skb_cow_data whenever possible") +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +--- + net/ipv4/esp4.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index b1e2444..ab71fbb 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + int extralen; + int tailen; + __be64 seqno; ++ int esp_offset = 0; + __u8 proto = *skb_mac_header(skb); + + /* skb is pure payload to encrypt */ +@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + break; + } + ++ esp_offset = (unsigned char *)esph - (unsigned char *)uh; ++ + *skb_mac_header(skb) = IPPROTO_UDP; + } + +@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + goto error; + nfrags = err; + tail = skb_tail_pointer(trailer); +- esph = ip_esp_hdr(skb); ++ esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset); + + skip_cow: + esp_output_fill_trailer(tail, tfclen, plen, proto); diff --git a/kernel.spec b/kernel.spec index 9a832c746..bf6059605 100644 --- a/kernel.spec +++ b/kernel.spec @@ -642,6 +642,10 @@ Patch676: 2-2-nvme-Quirk-APST-on-Intel-600P-P3100-devices.patch # Networking fix reported on bodhi Patch678: net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch +# rhbz 1458222 1458499 +# As linked from http://marc.info/?l=linux-netdev&m=149336766030175&w=2 +Patch679: actual_udpencap_fix.patch + # END OF PATCH DEFINITIONS %endif @@ -2206,6 +2210,9 @@ fi # # %changelog +* Mon Jun 05 2017 Laura Abbott <labbott@fedoraproject.org> +- Actually fix ipsec encapsulation problems (rhbz 1458222 1458499) + * Fri Jun 02 2017 Laura Abbott <labbott@fedoraproject.org> - Turn CONFIG_GPIO_SYSFS back on |